Adlice forum

Software feedback => RogueKiller => Topic started by: hessa on October 13, 2014, 10:49:56 PM

Title: Be grateful for a log analysis
Post by: hessa on October 13, 2014, 10:49:56 PM

I'd be very grateful if anyone could let me know what I need to delete from the
log below. Many thanks

Code: [Select]

RogueKiller V8.8.7 _x64_ [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : John [Admin rights]
Mode : Scan -- Date : 10/13/2014 21:32:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 6 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll [x] -> UNLOADED
[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll [x] -> UNLOADED
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\AVworks\DRS.dll [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [-] -> regsvr32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 14 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : YjPack (C:\Windows\SysWOW64\regsvr32.exe C:\Users\John\AppData\Local\AVworks\DRS.dll [-][-]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : ASworks (regsvr32.exe C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [x][-]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : ASworks Update (regsvr32.exe C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [x][-]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : mfpmp ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe" [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3136640419-4058625718-2404794061-1001\[...]\Run : YjPack (C:\Windows\SysWOW64\regsvr32.exe C:\Users\John\AppData\Local\AVworks\DRS.dll [-][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3136640419-4058625718-2404794061-1001\[...]\Run : ASworks (regsvr32.exe C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [x][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3136640419-4058625718-2404794061-1001\[...]\Run : ASworks Update (regsvr32.exe C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [x][-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3136640419-4058625718-2404794061-1001\[...]\Run : mfpmp ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe" [x]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\RunOnce : mfpmp ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe" [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3136640419-4058625718-2404794061-1001\[...]\RunOnce : mfpmp ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe" [x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe" [x]) -> FOUND
[AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe") -> FOUND

¤¤¤ Scheduled tasks : 3 ¤¤¤
[V1][SUSP PATH] 0814avUpdateInfo.job : C:\ProgramData\Avg_Update_0814av\0814av_AVG-Secure-Search-Update.exe -  /SETINFO /CMPID=0814av /INFORETRY=3 [7] -> FOUND
[V2][SUSP PATH] 0814avUpdateInfo : C:\ProgramData\Avg_Update_0814av\0814av_AVG-Secure-Search-Update.exe - /SETINFO /CMPID=0814av /INFORETRY=3 [7] -> FOUND
[V2][SUSP PATH] UpdateContacts : "%ProgramData%\Sony Corporation\VAIO Care\UpdateContacts.exe" - taskschedule [x][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Faked][File] acpiex.sys : C:\WINDOWS\system32\drivers\acpiex.sys [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
::1             localhost
5.45.78.80 www.google-analytics.com.
5.45.78.80 google-analytics.com.
5.45.78.80 connect.facebook.net.
107.181.174.68 www.google-analytics.com.
107.181.174.68 google-analytics.com.
107.181.174.68 connect.facebook.net.


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500LT012-9WS142 +++++
--- User ---
[MBR] 75967bd12650fec168bab641bee94055
[BSP] bcb5cb800d8f9456c5ee93563fd672f9 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) AXM13S2-24GM-B +++++
--- User ---
[MBR] ff8a7d4ef7d790533c5790a9db5f18bc
[BSP] 4f293b8dbe5670a12d25d7bacb52d7a7 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10132014_21320

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 14, 2014, 04:04:57 PM

Looks like you're infected.
I'm really concerned about the faked file, could start a scan with TDSSKiller?
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

Title: Re: Be grateful for a log analysis
Post by: hessa on October 14, 2014, 08:08:07 PM

Thanks Tigzy,

I ran the scan you suggested and came up blank no threats!

Computer certainly seems to be playing up so need to do something. Also ran microsoft utility scan and that didn't identify anything. I tried Rogue Killer deleting options and following that have the report below. Scanning again with RK following this and will post up report. Hoping this will have resolved things.

Thanks again for the assistance.

RogueKiller V8.8.7 _x64_ [Feb 11 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : John [Admin rights]
Mode : DNSFix -- Date : 10/14/2014 19:04:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 6 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll

• -> UNLOADED

[SUSP PATH][DLL] explorer.exe -- C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll

• -> UNLOADED

[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\AVworks\DRS.dll [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\EP0NM4RE.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [-] -> regsvr32.exe KILLED [TermProc]
[SUSP PATH][DLL] regsvr32.exe -- C:\Users\John\AppData\Local\ASworks\CNBJOP5Q.DLL [-] -> regsvr32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[0]_DN_10142014_190428.txt >>
RKreport[0]_D_10142014_190405.txt;RKreport[0]_H_10142014_190422.txt;RKreport[0]_S_10132014_213200.txt

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 14, 2014, 08:27:42 PM

Looks like you ran a very old version.
Could you retry with latest, which is 10.0.1?

Title: Re: Be grateful for a log analysis
Post by: hessa on October 14, 2014, 08:43:58 PM

Just downloaded the latest version and I have AVG on my computer which isn't allowing me to open the file. Any suggestions?

Thanks

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 15, 2014, 07:23:09 AM

They suck :)
Could you report the false positive to them?

Title: Re: Be grateful for a log analysis
Post by: hessa on October 15, 2014, 07:59:35 PM

Yeah, I'm beginning to think so too.
Is my best option to delete AVG for now and then run scan? Can't think I'm going to get much help from them.

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 15, 2014, 08:15:29 PM

Not delete, you can turn it off during the download/scan. Then turn it on

Title: Re: Be grateful for a log analysis
Post by: hessa on October 15, 2014, 10:06:39 PM

Thanks for your help Tigzy, new scan report with updated software below. Please advise whether I need to delete the lot or not.

For info, my flashplayer has ceased working and crashes before any video can be played.

RogueKiller V10.0.1.0 [Oct 10 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : John [Administrator]
Mode : Scan -- Date : 10/15/2014  21:02:07

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1SecureIconsProvider | (default) : {FC9D8189-520A-4417-AED7-9EAC810C6FBA}  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3136640419-4058625718-2404794061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3136640419-4058625718-2404794061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{837F7D77-5873-4ACC-8515-C516100B4EAB} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{837F7D77-5873-4ACC-8515-C516100B4EAB} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Suspicious.Path][File] mfpmp.lnk -- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mfpmp.lnk [LNK@] C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe -> Found
[Suspicious.Path][File] MRINFO.lnk -- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRINFO.lnk [LNK@] C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\MRINFO.EXE -> Found

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LT012-9WS142 +++++
--- User ---
[MBR] 75967bd12650fec168bab641bee94055
[BSP] bcb5cb800d8f9456c5ee93563fd672f9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: AXM13S2-24GM-B +++++
--- User ---
[MBR] ff8a7d4ef7d790533c5790a9db5f18bc
[BSP] 4f293b8dbe5670a12d25d7bacb52d7a7 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: Be grateful for a log analysis
Post by: hessa on October 16, 2014, 12:48:22 AM

Still having problems with flashplayer. Run scan again after last clean up one, report below, didn't identify anything colured orange so assume it hasn't identified anything wrong!

RogueKiller V10.0.1.0 [Oct 10 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : John [Administrator]
Mode : Scan -- Date : 10/15/2014  23:37:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3136640419-4058625718-2404794061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3136640419-4058625718-2404794061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{837F7D77-5873-4ACC-8515-C516100B4EAB} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{837F7D77-5873-4ACC-8515-C516100B4EAB} | DhcpNameServer : 192.168.1.1 0.0.0.0  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LT012-9WS142 +++++
--- User ---
[MBR] 75967bd12650fec168bab641bee94055
[BSP] bcb5cb800d8f9456c5ee93563fd672f9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: AXM13S2-24GM-B +++++
--- User ---
[MBR] ff8a7d4ef7d790533c5790a9db5f18bc
[BSP] 4f293b8dbe5670a12d25d7bacb52d7a7 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10152014_211744.log - RKreport_DEL_10152014_214539.log - RKreport_SCN_10152014_210207.log

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 16, 2014, 08:21:00 AM

Remove this:

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1SecureIconsProvider | (default) : {FC9D8189-520A-4417-AED7-9EAC810C6FBA}  -> Found

[Suspicious.Path][File] mfpmp.lnk -- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mfpmp.lnk [LNK@] C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\mfpmp.exe -> Found
[Suspicious.Path][File] MRINFO.lnk -- C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRINFO.lnk [LNK@] C:\Users\John\AppData\Roaming\Microsoft\Windows\IEUpdate\MRINFO.EXE -> Found

Title: Re: Be grateful for a log analysis
Post by: hessa on October 16, 2014, 08:08:26 PM

Thanks Tigzy, seems to have done the trick. Updated Firefox and Flash and that seems resolved as well so happy days.

Much appreciated.  :)

Title: Re: Be grateful for a log analysis
Post by: Tigzy on October 16, 2014, 08:23:17 PM

No problem, glad it helped :)